Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Updates Patch Twenty Vulnerabilities

Germany-based enterprise software maker SAP has addressed a total of twenty vulnerabilities as part of its September 2015 Security Patch Day.

In addition to fixing 20 new flaws, SAP noted that it has also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.

Germany-based enterprise software maker SAP has addressed a total of twenty vulnerabilities as part of its September 2015 Security Patch Day.

In addition to fixing 20 new flaws, SAP noted that it has also updated five previously released patches. The company rated 16 of the new vulnerabilities as having “high” or “very high” (hot news) severity.

Of the total of 25 patches released this week, eight are missing authorization checks, and six are cross-site scripting (XSS) bugs. The rest of the vulnerabilities can be exploited for information disclosure, cross-site request forgery (CSRF), remote code execution, SQL injection, and other types of attacks.

SAP only shares details on the patched security bugs with its customers. However, SAP security solutions providers ERPScan and Onapsis have released some information on the vulnerabilities fixed with the September 2015 updates. It’s worth noting that some of the flaws patched this month have been identified by researchers from these companies.

The most serious vulnerability, with a CVSS score of 9.3, is a buffer overflow affecting SAP HANA Extended Application Services (XS). The flaw, patched with the 2197397 update, can be exploited by an attacker to execute malicious code with the privileges of the targeted application.

“This can lead to taking complete control over an application, denial of service, command execution, and other attacks,” ERPScan said. “In case of command execution, attacker can obtain critical technical and business-related information stored in a vulnerable SAP system or use it for privilege escalation. As for denial of service, terminating the process of a vulnerable component is possible. Nobody will be able to use this service, resulting in a negative impact on business processes, system downtime, and, consequently, business reputation.”

Another update rated “hot news” is 850306, which, according to Onapsis, summarizes several Oracle patches linked to SAP products.

Other serious issues are an OS command execution vulnerability related to a SAP function module, a missing authorization check in SAP Foreign Trade, a SAP NetWeaver Business Client flaw that can lead to information disclosure or a denial-of-service (DoS) condition, and a SQL injection in SAP Batch Processing.

Advertisement. Scroll to continue reading.

Missing authorization continues to be a common issue in SAP products. A report published in 2014 by ERPScan showed that of the 3,000 vulnerabilities patched by SAP since 2001, more than 700 (20 percent) were missing authorization flaws. Of these 700 issues, most affected SAP NetWeaver ABAP.

Last month, SAP released 26 patches, 15 of which were rated as having high severity.

Related Reading: Majority of SAP Attacks Use One of Three Common Techniques

Related Reading: SAP Encryption Issues Pose Serious Risk to Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.